Category: Microsoft
Category Archives: Microsoft
Random Pop-ups
help!!
At somewhat random times I get a “black window” pop-up that stays up for several seconds and then goes away. If I hover over it I’ll see something like the following:
c:userstomtiappdataroaminglicensing Validator updaterSecurityHealthService.exe or
c:userstomtiappdataroamingsecure Transaction SystemsSecurityHealthservice.exe or
c:userstomtiappdataroaminglicensing validator
What should I do?
help!!At somewhat random times I get a “black window” pop-up that stays up for several seconds and then goes away. If I hover over it I’ll see something like the following: c:userstomtiappdataroaminglicensing Validator updaterSecurityHealthService.exe orc:userstomtiappdataroamingsecure Transaction SystemsSecurityHealthservice.exe orc:userstomtiappdataroaminglicensing validator What should I do? Read More
Why does Copilot stop answering?
Frequently when using Copilot, it will stop answering with a message insisting on a change of topic. These refusals to respond don’t seem to be associated with the topic under discussion or any objectionable material, but are entirely random. Starting a new topic and restating the unanswered question just gives the same “change topic” message. The only fix is to shut Copilot down and try again later. Needless to say, this is suboptimal.
Does anyone know what’s going on around here and how to fix it?
Frequently when using Copilot, it will stop answering with a message insisting on a change of topic. These refusals to respond don’t seem to be associated with the topic under discussion or any objectionable material, but are entirely random. Starting a new topic and restating the unanswered question just gives the same “change topic” message. The only fix is to shut Copilot down and try again later. Needless to say, this is suboptimal. Does anyone know what’s going on around here and how to fix it? Read More
MS Project 2021 Professional missing commands
The following Commands are missing Microsoft Project Professional 2021:
Sprints Project template (from the File Ribbon |New tab).Link task to planner plan (from the Task Ribbon | Planner tab (the tab is also missing)).Task Boards (from the Report Ribbon).Manage Sprints (from the Project Ribbon).Task Board (from the View Ribbon).
Will those commands become available when logged to a work account with a current subscription to MS 365 ?
Thank you
The following Commands are missing Microsoft Project Professional 2021: Sprints Project template (from the File Ribbon |New tab).Link task to planner plan (from the Task Ribbon | Planner tab (the tab is also missing)).Task Boards (from the Report Ribbon).Manage Sprints (from the Project Ribbon).Task Board (from the View Ribbon).Will those commands become available when logged to a work account with a current subscription to MS 365 ? Thank you Read More
Error 2604 upon login
This might not be the place for this regarding MRD and AVD, but I have one M1-based Apple laptop that I can logon to the Army desktop fine, but on an intel-based machine (macOS 13.6.7, MRD 10.9.8) I get an error 2604 at the login screen after punching in my pin. If this is dealt with somewhere else a simple referral will be fine, but I have not seen this issue on any Army or Microsoft support boards or troubleshooting guides.
And after this it MRD gives a message “Error: MSAL failed to acquire claims token – Network infrastructure failed.”
This might not be the place for this regarding MRD and AVD, but I have one M1-based Apple laptop that I can logon to the Army desktop fine, but on an intel-based machine (macOS 13.6.7, MRD 10.9.8) I get an error 2604 at the login screen after punching in my pin. If this is dealt with somewhere else a simple referral will be fine, but I have not seen this issue on any Army or Microsoft support boards or troubleshooting guides. And after this it MRD gives a message “Error: MSAL failed to acquire claims token – Network infrastructure failed.” Read More
Azure API Center: Centralizando a Gestão de APIs para Melhoria da Descoberta e Governança
Já pensou na possibilidade de centralizar a gestão de suas APIs em um único local, facilitando a descoberta e governança de seus serviços? O Azure API Center é uma solução que ajudará você a alcançar esse objetivo, oferecendo uma plataforma unificada para a criação, publicação, gerenciamento e monitoramento de APIs. Neste artigo, vamos entender melhor sobre esse serviço, suas funcionalidades e benefícios.
Novo Treinamento Gratuito no Microsoft Learn: Introdução ao Azure API Center!
Mas, antes de começarmos, gostaríamos de trazer uma grande novidade! Há um novo treinamento gratuito no Microsoft Learn sobre o Azure API Center.
Lembrando que, após a conclusão do curso, você receberá um certificado de conclusão que poderá ser compartilhado em suas redes sociais e até mesmo no seu currículo ou LinkedIn. Confira agora mesmo o treinamento:
O que é o Azure API Center?
O Azure API Center permite que as organizações desenvolvam e mantenham um inventário estruturado e organizado de suas APIs, independentemente de seu tipo, estágio de ciclo de vida ou local de implantação. Este hub centralizado permite que stakeholders, como API Producers, API Consumers e API Platform Engineers, descubram, reutilizem e governem as APIs de maneira eficiente. Ao fornecer detalhes de versão, arquivos de definição de API e metadados comuns, o Azure API Center garante que as APIs sejam facilmente acessíveis e gerenciáveis.
Mas, quais são os principais benefícios desse serviço? Vejamos a seguir.
Benefícios do Azure API Center
Criar e Manter um Inventário de APIs Organizacional: O Azure API Center nos permite criar um inventário completo de todas as APIs de uma organização. Além disso, é possível promover a colaboração entre API Producers, API Consumers e API Platform Engineers para aumentar a reutilização, qualidade, segurança, conformidade e produtividade para todos os envolvidos, especialmente para os desenvolvedores.
Governança das APIs da Organização: Com o Azure API Center é possível obter visibilidade completa das APIs sendo produzidas e consumidas em toda a organização. Outro ponto importante a ser destacado é a definição de metadados personalizados, para que sejam analisadas as definições de API para garantir a conformidade com os padrões organizacionais.
Descoberta Fácil de APIs: Com esse serviço é possível também promover a reutilização de APIs para maximizar a produtividade dos desenvolvedores e permitir que os gerentes de programas e desenvolvedores descubram APIs fazendo uso de metadados embutidos e personalizados.
Acelerar o Consumo de APIs: E, finalmente, tempo é algo precioso, e com o Azure API Center é possível melhorar a produtividade dos desenvolvedores ao garantir o consumo seguro de APIs de acordo com os padrões organizacionais.
Principais Capacidades do Azure API Center
O Azure API Center oferece uma série de capacidades que ajudam a simplificar a gestão de APIs, tais como:
Gestão de Inventário de APIs: Registre todas as APIs da organização em um inventário centralizado.
Representação Real das APIs: Adicione informações reais sobre cada API, incluindo versões e definições da OpenAPI. É possível listar implantações de APIs e associá-las a ambientes de tempo de execução.
Governança de APIs: Organize e filtre APIs usando metadados embutidos e personalizados. Configure linting e análise para garantir a qualidade da definição de APIs.
Descoberta e Reutilização de APIs: Permita a descoberta de APIs através do Portal do Azure, Portal do API Center e ferramentas de desenvolvimento integradas ao Visual Studio Code: Azure API Center Extension. Essa extensão permite criar, descobrir, explorar e consumir APIs diretamente do Visual Studio Code.
Disponibilidade de Região e Preços
O Azure API Center está disponível em várias regiões do Azure, incluindo:
Austrália Leste
Índia Central
Leste dos EUA
Sul do Reino Unido
Oeste da Europa
O Azure API Center é oferecido nos planos Free e Standard.
Há muitos outros aspectos interessantes sobre o Azure API Center. Deixaremos um vídeo realizado por Julia Kasper – Program Manager do Azure API Center na Microsoft durante o Microsoft Build 2024 falando mais sobre o serviço:
Próximos Passos
O Azure API Center é uma ferramenta poderosa para centralizar e gerenciar APIs dentro de uma organização. Com seus recursos robustos e futuras melhorias, promete simplificar a governança de APIs, melhorar a visibilidade e aprimorar a experiência geral dos desenvolvedores.
Encorajamos você a explorar o Azure API Center e descobrir como ele pode ajudar sua organização a gerenciar APIs de maneira mais eficiente.
Recursos Adicionais
Se você quiser saber mais sobre o Azure API Center, acesse a documentação oficial do Azure e outros recursos abaixo:
Documentação Oficial do Azure API Center
Tutorial: Defina metadados personalizados
Tutorial: Registre APIs no seu inventário de APIs
Tutorial: Adicione ambientes e implantações para APIs
Exemplos, laboratórios e templates para Azure API Center
Aqui também vão alguns blogs publicados por Cloud Advocates e Product Managers da Microsoft sobre o Azure API Center:
Azure API Center: The First Look by Justin Yoo
Azure API Center: Your Comprehensive API Inventory and Governance Solution by Julia Kasper
Universal API Center – A Truly Comprehensive API Catalog that Warmly Welcomes All Your APIs! by Alexandre Vieira
Exemplos e Referências
O Portal APIC (Azure API Center) desenvolvido, conforme a imagem abaixo, usa as seguintes tecnologias:
.NET SDK 8.0
Node.js v.18x
API Center Extension
Azure Developer CLI
Azure CLI
Se você gosta de aprender através de vídeos, recomendamos essa série de vídeos sobre o Azure API Center:
Espero que você tenha gostado deste artigo e que ele tenha sido útil para você. Se tiver alguma dúvida ou comentário, sinta-se à vontade para compartilhar conosco.
Até o próximo artigo!
Microsoft Tech Community – Latest Blogs –Read More
ON DEMAND | SharePoint in-depth: Learning content
There’s the thinking cap. And then there’s the deep-thinking cap. It’s time to put on the latter.
This article contains eight in-depth videos about SharePoint – now on demand and embedded below, with five more coming soon.
You’ll discover SharePoint’s capabilities and upcoming features, focusing on content management, collaboration, and leveraging AI in Microsoft 365. You’ll gain a deeper understanding of AI’s role in content creation and management. As the intranet evolves, too shall you advance along with tools to help build strategies for corporate communications. As your own brand ambassador, you’ll learn how to personalize SharePoint – to create content consistent with organizational identity. And of course, we have updated content for admins and devs – to see the latest ways to manage and extend SharePoint. Last, we added Jeff Teper’s recent keynote to give you the broadest insights on the transformative impact of Copilot in the mix with Microsoft 365, signaling a new era of AI-driven productivity.
OK, on to the show(s) (on demand)!!! All content is as it was presented during the Microsoft 365 Community Conference, presented by top product makers from Microsoft.
Note: Beyond the SharePoint content below, you can view all recorded sessions on demand now within the full Microsoft 365 Community Conference playlist on the Microsoft Community Learning channel (YouTube). You’ll find keynotes, general sessions, and numerous breakout sessions — in their entirety.
The best, recent overview of SharePoint in the era of AI
“Content Management and Collaboration for the AI Era” presented by Zach Rosenfield, Melissa Torres, Lincoln DeMaris, Ashu Rawat, and Sesha Mani. Learning how creating content in the era of AI provides you with opportunities to unleash your creativity and simplify large-scale content management. You’ll see and hear ways to enrich your content, get insights from your store of knowledge, and transform document-driven solutions with experiences across Microsoft 365. Watch below:
SharePoint powers your intranet and communicators
“The intranet of tomorrow: beautiful, flexible, and AI ready” presented by Denise Trabona and Dave Cohen. What is the intranet of the future all about? We’ll cover industry trends around content presentation, more robust authoring experiences, and what the era of AI means for your intranet. The video contains many demos and design tips and tricks throughout. Watch now:
“Planning a Corporate Comms strategy w/SharePoint News & Viva Amplify” presented by Naomi Moneypenny, Maeneka Grewal, and Dave Cohen. This transformation track session spans strategy, best practices, and product guidance. Learn how to plan a corporate communications strategy leveraging the power of SharePoint news and Viva Amplify. Watch now:
Look and feel: Make SharePoint your own.
“Branding SharePoint Sites, Clipchamp Videos, Teams Meetings, & More” presented by Cathy Dew. Learn how to take control of your authoring experience, to create rich content, easily, by your design and on brand – throughout your intranet, across applications, and consistently. Cathy brings a lot of demos, how to guidance, and best practices. Watch now:
Manage and control: Get up to speed as an admin.
“What’s New in SharePoint Admin Center, Copilot, and Beyond” presented by Dave Minasyan. Learn how you can leverage Copilot within the SharePoint admin center to discover and learn new management and control capabilities, understand the impact to your organization, and quickly implement them. Watch now:
“Plan and Deliver a Friction Free Migration to Microsoft 365” presented by Visha Chadha, Tony Mathew, and Yogesh Ratnaparkhi. Are you considering migrating to Microsoft 365? Learn about the latest enhancements in Microsoft 365 migrations and how you can seamlessly migrate your organization to Microsoft from the current productivity stack including Google Workspace, Box, Dropbox, and on-premises networks. Watch now:
A new offer for developers
“SharePoint Embedded: Build custom content apps with Microsoft 365” presented by Marc Windle and Farreltin Fan. Explore how SharePoint Embedded accelerates content-centric app development and leverages Microsoft 365’s robust security, compliance, and collaboration capabilities. Build your custom app with SharePoint built in, as your app’s primary, robust content service. Watch below:
Get the broadest view of Microsoft 365, watch Jeff Teper’s opening keynote.
“The Age of Copilots” presented by Jeff Teper, Miceile Barrett, Derek Snyder, and Naomi Moneypenny. See how innovation in Microsoft Copilot, SharePoint, OneDrive, and Teams – combined with the familiarity and scale of Microsoft 365 – unlocks productivity and transforms business processes for everyone across all functions and industry in this new era of AI. Watch now:
Coming soon
We’ll update this blog post with more content as soon as the below gets published.
For now, review what related session content is “coming soon”:
“SharePoint: Maximize the value of your content with AI-powered content processing.”
“SharePoint: Transform your content experiences in the era of AI.”
“The Ins and Outs of Microsoft 365 Backup, Archive”
“SharePoint Architecture: A Look Behind the Scenes”
“Copilot for Microsoft 365: Extensibility 101”
SharePoint is the primary content services platform across Microsoft 365 apps.
Whether you’re collaborating with a project team on a Loop, watching a meeting recording via Stream, or using sites to supercharge your intranet, SharePoint is at the center of it all. This is that PB/month of content at work for you – be it a loop, a list, a file, a video, a site – it’s stored in and powered by SharePoint. This allows us to deliver a best-in-class content platform that our customers love, using apps that also abide by our trusted data security and privacy standards.
Thank you for your interest in taking your knowledge and depth of SharePoint to the next level. It warms our metadata-driven hearts!
Cheers, Mark “in depth” Kashman
Microsoft Tech Community – Latest Blogs –Read More
Why do improperly formatted emails come through, yet I can’t block them?
I am getting a lot of spam emails with an oddly formatted address, and when I click to block them, I get a message that the address is improperly formatted and it does not let me block them.
For example, the sender’s address will be something like, email address removed for privacy reasons admin@1234zxcv. Note the space between hotmail.com and admin, plus 2 “@” signs. In order to block it, I have to copy the part after the 2nd “@” sign and manually enter it in my blocked senders list … which means I have to open the email (which, of course, Microsoft has told us we should not do).
If the address is improperly formatted, why in the world wouldn’t that be a red flag for hotmail? Why would Microsoft even let an email like that come through?
Between the whose junk mail fiasco and this, I am beginning to wonder if ANYONE at Microsoft is paying attention.
I am getting a lot of spam emails with an oddly formatted address, and when I click to block them, I get a message that the address is improperly formatted and it does not let me block them. For example, the sender’s address will be something like, email address removed for privacy reasons admin@1234zxcv. Note the space between hotmail.com and admin, plus 2 “@” signs. In order to block it, I have to copy the part after the 2nd “@” sign and manually enter it in my blocked senders list … which means I have to open the email (which, of course, Microsoft has told us we should not do). If the address is improperly formatted, why in the world wouldn’t that be a red flag for hotmail? Why would Microsoft even let an email like that come through? Between the whose junk mail fiasco and this, I am beginning to wonder if ANYONE at Microsoft is paying attention. Read More
Outlook with iCloud mail
I have a family e-mail account on iCloud ( @me.com) .
On this account is the Apple user ID account (email address removed for privacy reasons) and a proxy e-mail address for one family member (email address removed for privacy reasons)
The new version of Outlook on Windows 11 will let all of the e-mail be displayed in the Inbox (recipient shown as parent@me or name@me, but replying or generating a new e-mail it only gives the parent@me option to use.
Every other e-mail client I’ve used (Apple’s Mail for desktop as well as iOS mail) will let them work as stand-alone addresses. When you generate an e-mail you can pick as sender email address removed for privacy reasons, email address removed for privacy reasons, email address removed for privacy reasons, email address removed for privacy reasons, email address removed for privacy reasons
And the older MS Mail client that came with Windows prior to version 11 saw all e-mails and treated them differently.
I’ve got Outlook recognizing the email address removed for privacy reasons address, but does not allow email address removed for privacy reasons to work as an independent address.
Has anyone faced this before?
I have a family e-mail account on iCloud ( @me.com) . On this account is the Apple user ID account (email address removed for privacy reasons) and a proxy e-mail address for one family member (email address removed for privacy reasons) The new version of Outlook on Windows 11 will let all of the e-mail be displayed in the Inbox (recipient shown as parent@me or name@me, but replying or generating a new e-mail it only gives the parent@me option to use. Every other e-mail client I’ve used (Apple’s Mail for desktop as well as iOS mail) will let them work as stand-alone addresses. When you generate an e-mail you can pick as sender email address removed for privacy reasons, email address removed for privacy reasons, email address removed for privacy reasons, email address removed for privacy reasons, email address removed for privacy reasons And the older MS Mail client that came with Windows prior to version 11 saw all e-mails and treated them differently. I’ve got Outlook recognizing the email address removed for privacy reasons address, but does not allow email address removed for privacy reasons to work as an independent address. Has anyone faced this before? Read More
Bing Image Creator isn’t saving my images in the collections like it used to
It automatically saves the images in the recent collection that’s been saved, right? So, why does it keep saving to “My Saves” when the most recent collection I’ve saved to is not “My Saves”. I’ve done this before already and it works by clicking the save button again and removing the image from “My Saves” and saving it to the other collection I want the images to be automatically saved in (because I’m not sure you can click the save button without it automatically saving in the most recent collection) and it worked before. But now, it’s not wanting to do just that and I have to click numerous times to get it to save in the right collection.
It automatically saves the images in the recent collection that’s been saved, right? So, why does it keep saving to “My Saves” when the most recent collection I’ve saved to is not “My Saves”. I’ve done this before already and it works by clicking the save button again and removing the image from “My Saves” and saving it to the other collection I want the images to be automatically saved in (because I’m not sure you can click the save button without it automatically saving in the most recent collection) and it worked before. But now, it’s not wanting to do just that and I have to click numerous times to get it to save in the right collection. Read More
Partly english terms in german Windows Server 2019 – Update 2024-06
Hi folks,
Since the latest cumulative update (KB5039217), English terms have been appearing in the dialogs on our German-language Windows Server 2019 servers. Uninstalling this update fixes the problem, but in my opinion it is not a solution as it leads to security problems.
Are there other solutions to this?
Thanks in advance
Frank
Hi folks, Since the latest cumulative update (KB5039217), English terms have been appearing in the dialogs on our German-language Windows Server 2019 servers. Uninstalling this update fixes the problem, but in my opinion it is not a solution as it leads to security problems.Are there other solutions to this? Thanks in advanceFrank Read More
Update KB5039304 does not install
In Windows Update the update KB5039304 runs through 100%, but in restart it only runs to 36%.
After a few minutes there, it gives an error message (no numbers or anything identifiable) en performs a roll-back.
Back in Windows the update KB5039304 is then presented again etc. etc. etc.
In Windows Update the update KB5039304 runs through 100%, but in restart it only runs to 36%.After a few minutes there, it gives an error message (no numbers or anything identifiable) en performs a roll-back.Back in Windows the update KB5039304 is then presented again etc. etc. etc. Read More
Verifying answers with external tables (excel)
Hi everyone,
I’d like to verify answers entered in a form through external tables (in Excel, for instance).
Here is the situation
I run a competition and need to create two forms for the registration of
– teams
– members of each team (already registered)
The field linking both tables is the “team’s name”
For the “Team’s Members” form, I want to make sure the Team has already been created => I therefore need to test the “Team’s name” entry :
– if the entry exists in the “Teams” database (Excel file linked to the Form, I guess) => the user will be allowed to enter the data for a new member
– if it doesn’t exists, then the user will NOT be allowed to carry on (with a message indicating he has to create first a “Team”
Any idea on how to do this ?
Thank you in advance
Hi everyone,I’d like to verify answers entered in a form through external tables (in Excel, for instance).Here is the situationI run a competition and need to create two forms for the registration of- teams- members of each team (already registered)The field linking both tables is the “team’s name”For the “Team’s Members” form, I want to make sure the Team has already been created => I therefore need to test the “Team’s name” entry :- if the entry exists in the “Teams” database (Excel file linked to the Form, I guess) => the user will be allowed to enter the data for a new member- if it doesn’t exists, then the user will NOT be allowed to carry on (with a message indicating he has to create first a “Team”Any idea on how to do this ?Thank you in advance Read More
Trying to delete Sideloaded Add-Ins causes a 300 error.
I sideloaded Add-Ins via https://aka.ms/olksideload.
When I try to delete these Add-Ins again, i get a 300 Error.
Furthermore it seems to affect other Add-Ins too, as no Add-Ins are shown anymore at all in the Edit-Event Screen.
I sideloaded Add-Ins via https://aka.ms/olksideload.When I try to delete these Add-Ins again, i get a 300 Error.Furthermore it seems to affect other Add-Ins too, as no Add-Ins are shown anymore at all in the Edit-Event Screen. Read More
webhook
I am the administrator for my company’s SharePoint and Office accounts but cannot configure a webhook connection for Teams.
I get this message (see attachment).
I have all credentials and groups assigned to my user in the admin site for members’ administration.
I am trying to create a webhook using the Add Webhook option in Teams.
What credentials do I need to have? In the admin center, I have been assigned the role of Teams Communications Administrator.
I am the administrator for my company’s SharePoint and Office accounts but cannot configure a webhook connection for Teams.I get this message (see attachment).I have all credentials and groups assigned to my user in the admin site for members’ administration.I am trying to create a webhook using the Add Webhook option in Teams.What credentials do I need to have? In the admin center, I have been assigned the role of Teams Communications Administrator. Read More
Detecting service account provisioning
Hi all
I’m doing some research around the creation and enabling of old fashioned service accounts using MS Defender. I’m trying to achieve of coupe of things actually. I can detect LogonType of Service Service on MDE onboarded machines using the DeviceLogonEvents Table. But there are a few other things I would like to achieve
1.) Raise an alert when a domain account is granted the “Logon as a Service” right on any machine.
2.) When an account that has never logged on as service suddenly does so.
3.) Perhaps detect when a user account’s ServicePrincipalName attribute is populayed or updated.
So the service account logon query looks like this:
DeviceLogonEvents
| where Timestamp >= ago(30d)
| where LogonType == “Service” or LogonType == “Batch”
| where AccountDomain =~ “saica”
| summarize count() by AccountName, DeviceName, LogonType
| sort by count_ desc
The other ones seem to be a bit trickier.
Anyone got any ideas? I would rather not install the MMA agent every and ingest security event logs.
Hi all I’m doing some research around the creation and enabling of old fashioned service accounts using MS Defender. I’m trying to achieve of coupe of things actually. I can detect LogonType of Service Service on MDE onboarded machines using the DeviceLogonEvents Table. But there are a few other things I would like to achieve 1.) Raise an alert when a domain account is granted the “Logon as a Service” right on any machine. 2.) When an account that has never logged on as service suddenly does so.3.) Perhaps detect when a user account’s ServicePrincipalName attribute is populayed or updated. So the service account logon query looks like this:DeviceLogonEvents| where Timestamp >= ago(30d)| where LogonType == “Service” or LogonType == “Batch”| where AccountDomain =~ “saica”| summarize count() by AccountName, DeviceName, LogonType| sort by count_ desc The other ones seem to be a bit trickier. Anyone got any ideas? I would rather not install the MMA agent every and ingest security event logs. Read More
Dual-region deployments using Secure Virtual WAN Hub with Routing-Intent without Global Reach
This article describes the best practices for connectivity, traffic flows, and high availability of dual-region Azure VMware Solution when using Azure Secure Virtual WAN with Routing Intent. You learn the design details of using Secure Virtual WAN with Routing-Intent, without Global Reach. This article breaks down Virtual WAN with Routing Intent topology from the perspective of Azure VMware Solution private clouds, on-premises sites, and Azure native. The implementation and configuration of Secure Virtual WAN with Routing Intent are beyond the scope and aren’t discussed in this document.
In regions without Global Reach support or with a security requirement to inspect traffic between Azure VMware Solution and on-premises at the hub firewall, a support ticket must be opened to enable ExpressRoute to ExpressRoute transitivity for both regional hubs. ExpressRoute to ExpressRoute transitivity isn’t supported by default with Virtual WAN. – see Transit connectivity between ExpressRoute circuits with routing intent
Secure Virtual WAN with Routing Intent is only supported with Virtual WAN Standard SKU. Secure Virtual WAN with Routing Intent provides the capability to send all Internet traffic and Private network traffic to a security solution like Azure Firewall, a third-party Network Virtual Appliance (NVA), or SaaS solution. In the scenario, we have a network topology that spans two regions. There’s one Virtual WAN with two Hubs, Hub1 and Hub2. Hub1 is in Region 1, and Hub2 is in Region 2. Each Hub has its own instance of Azure Firewall deployed(Hub 1 Firewall, Hub 2 Firewall), essentially making them each Secure Virtual WAN Hubs. Having Secure Virtual WAN hubs is a technical prerequisite to Routing Intent. Secure Virtual WAN Hub1 and Hub2 have Routing Intent enabled.
Each region also has an Azure VMware Solution Private Cloud and an Azure Virtual Network. There’s also an on-premises site connecting to both regions, which we review in more detail later in this document.
Note
If you’re using non-RFC1918 prefixes in your connected on-premises, Virtual Networks or Azure VMware Solution, make sure you have specified those prefixes in the “Private Traffic Prefixes” text box for Routing Intent. Keep in mind that you should always enter summarized routes only in the “Private Traffic Prefixes” section to cover your range. Do not input the exact range that is being advertised to Virtual WAN as this can lead to routing issues. For example, if the ExpressRoute Circuit is advertising 40.0.0.0/24 from on-premises, put a /23 CIDR range or larger in the Private Traffic Prefix text box (example: 40.0.0.0/23). – see Configure routing intent and policies through Virtual WAN portal
Note
When configuring Azure VMware Solution with Secure Virtual WAN Hubs, ensure optimal routing results on the hub by setting the Hub Routing Preference option to “AS Path.” – see Virtual hub routing preference
Understanding Topology Connectivity
Connection
Description
Connections (D)
Azure VMware Solution private cloud connection to its local regional hub.
Connections (E)
on-premises connectivity via ExpressRoute to both regional hubs.
Inter-Hub
Inter-Hub logical connection between two hubs that are deployed under the same Virtual WAN.
The following sections cover traffic flows and connectivity for Azure VMware Solution, on-premises, Azure Virtual Networks, and the Internet.
This section focuses on only the Azure VMware Solution private clouds in both regions. Each Azure VMware Solution private cloud has an ExpressRoute connection to the hub (connections labeled as “D”).
With ExpressRoute to ExpressRoute transitivity enabled on the Secure Hub and Routing-Intent enabled, the Secure Hub sends the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to both Azure VMware Solution private clouds over connection “D”. In addition to the default RFC 1918 addresses, both Azure VMware Solution private clouds learn more specific routes from Azure Virtual Networks and Networks (S2S VPN, P2S VPN, SDWAN) that are connected to both Hub 1 and Hub 2. Both Azure VMware Solution private clouds don’t learn specific routes from on-premises networks. For routing traffic back to on-premises networks, it uses the default RFC 1918 addresses that it learned via connection “D” from its local regional hub. This traffic transits through the local regional Hub firewall, as shown in the diagram. The Hub firewall has the specific routes for on-premises networks and routes traffic toward the destination over connection “E”. Traffic from both Azure VMware Solution private clouds, heading towards Virtual Networks, will transit the Hub firewall. For more information, see the traffic flow section.
The diagram illustrates traffic flows from the perspective of the Azure VMware Solution Private Cloud Region 1 and Azure VMware Solution Private Cloud Region 2.
Traffic Flow Chart
Traffic Flow Number
Source
Direction
Destination
Traffic Inspected on Secure Virtual WAN Hub firewall?
1
Azure VMware Solution Cloud Region 1
→
Virtual Network 1
Yes, traffic is inspected at the Hub 1 firewall
2
Azure VMware Solution Cloud Region 1
→
On-premises
Yes, traffic is inspected at the Hub 1 firewall
3
Azure VMware Solution Cloud Region 1
→
Virtual Network 2
Yes, traffic is inspected at the Hub 1 firewall, then Hub 2 firewall.
4
Azure VMware Solution Cloud Region 1
→
Azure VMware Solution Cloud Region 2
Yes, traffic is inspected at the Hub 1 firewall, then Hub 2 firewall.
5
Azure VMware Solution Cloud Region 2
→
Virtual Network 1
Yes, traffic is inspected at the Hub 2 firewall, then Hub 1 firewall.
6
Azure VMware Solution Cloud Region 2
→
Virtual Network 2
Yes, traffic is inspected at the Hub 2 firewall.
7
Azure VMware Solution Cloud Region 2
→
On-premises
Yes, traffic is inspected at the Hub 2 firewall.
This section focuses only on the on-premises site. As shown in the diagram, the on-premises site has an ExpressRoute connection to both Hub 1 and Hub 2 (connection labeled as “E”).
With ExpressRoute to ExpressRoute transitivity enabled on both Secure Hubs and Routing-Intent enabled, each Secure Hub sends the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to on-premises over connection “E”. In addition to the default RFC 1918 addresses, on-premises learns more specific routes from Azure Virtual Networks and Branch Networks (S2S VPN, P2S VPN, SDWAN) that are connected to both Hub 1 and Hub 2.
By default, on-premises doesn’t learn the specific routes for both Azure VMware Solution Private Clouds. Instead, it routes to both Azure VMware Solution Private Clouds using the default RFC 1918 addresses it learns over connection “E”. On-premises will learn the default RFC 1918 addresses from both Hub 1 and Hub 2 via connection “E”.
Note
It’s extremely important to add specific routes on both hubs. If you don’t add specific routes on the hubs, it leads to suboptimal routing because on-premises uses Equal Cost multi-path (ECMP) between the “E” connections for traffic destined to any Azure VMware Solution Private Cloud. As a result, traffic between on-premises and any Azure VMware Solution Private Cloud may experience latency, performance issues, or packet drops.
To advertise a more specific route down to on-premises, it needs to be accomplished from the “Private Traffic Prefixes” box within Routing Intent. – see Configure routing intent and policies through Virtual WAN portal. You need to add a summarized route that encompasses both your Azure VMware Solution /22 block and your Azure VMware Solution subnets. If you add the same exact prefix or a more specific prefix instead of a summary route, you introduce routing issues within the Azure environment. Therefore, it’s important to remember that any prefixes added to the “Private Traffic Prefixes” box must be summarized routes.
As illustrated in the diagram, Azure VMware Solution Private Cloud 1 includes workload subnets from 10.10.0.0/24 to 10.10.7.0/24. On Hub 1, the summary route 10.10.0.0/21 is added to “Private Traffic Prefixes” because it encompasses all eight subnets. Additionally, on Hub 1, the summary route 10.150.0.0/22 is added to “Private Traffic Prefixes” to cover the Azure VMware Solution management block. Summary routes 10.10.0.0/21 and 10.150.0.0/22 are then advertised down to on-premises via connection “E”, providing on-premises with a more specific route than 10.0.0.0/8.
Azure VMware Solution Private Cloud 2 includes workload subnets from 10.20.0.0/24 to 10.20.7.0/24. On Hub 2, the summary route 10.20.0.0/21 is added to “Private Traffic Prefixes” because it encompasses all eight subnets. Additionally, on Hub 2, the summary route 10.250.0.0/22 is added to “Private Traffic Prefixes.” This covers the Azure VMware Solution management block. Summary routes 10.20.0.0/21 and 10.250.0.0/22 are then advertised down to on-premises via connection “E.” This provides on-premises with a more specific route than 10.0.0.0/8.
There’s no issue in adding the entire Azure VMware Solution Management /22 block under “Private Traffic Prefixes” because Azure VMware Solution doesn’t advertise the exact /22 block back to Azure; it always advertises more specific routes.
As mentioned earlier, when you enable ExpressRoute to ExpressRoute transitivity on the Hub, it sends the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to your on-premises network. Therefore, you shouldn’t advertise the exact RFC 1918 prefixes (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) back to Azure. Advertising the same exact routes creates routing problems within Azure. Instead, you should advertise more specific routes back to Azure for your on-premises networks.
Note
If you’re currently advertising the default RFC 1918 addresses from on-premises to Azure and wish to continue this practice, you need to split each RFC 1918 range into two equal sub-ranges and advertise these sub-ranges back to Azure. The sub-ranges are 10.0.0.0/9, 10.128.0.0/9, 172.16.0.0/13, 172.24.0.0/13, 192.168.0.0/17, and 192.168.128.0/17.
The diagram illustrates traffic flows from the perspective of on-premises.
Traffic Flow Chart
Traffic Flow Number
Source
Direction
Destination
Traffic Inspected on Secure Virtual WAN Hub firewall?
2
on-premises
→
Azure VMware Solution Cloud Region 1
Yes, traffic is inspected at the Hub 1 firewall
7
on-premises
→
Azure VMware Solution Cloud Region 2
Yes, traffic is inspected at the Hub 2 firewall
8
on-premises
→
Virtual Network 1
Yes, traffic is inspected at the Hub 1 firewall
9
on-premises
→
Virtual Network 2
Yes, traffic is inspected at the Hub 2 firewall
This section focuses only on connectivity from the Azure Virtual Networks perspective. As depicted in the diagram, each Virtual Network has a Virtual Network peering directly to its regional hub.
The diagram illustrates how all Azure native resources in both Virtual Networks learn routes under their “Effective Routes”. With Routing Intent enabled, Hub 1 and Hub 2 always send the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to their peered Virtual Networks. Azure native resources in the Virtual Networks don’t learn specific routes from outside their Virtual Network. With Routing Intent enabled, all resources in the Virtual Network currently learn the default RFC 1918 address and use their regional hub firewall as the next hop. Azure VMware Solution Private Clouds communicate with each other via connection “D” to their local regional hub firewall. From there, they traverse the Virtual WAN inter-hub and undergo inspection at the cross-regional hub firewall. Additionally, Azure VMware Solution private clouds communicate with on-premises via connection “D” over their local regional hub firewall. All traffic ingressing and egressing the Virtual Networks will always transit their regional hub firewalls. For more information, see the traffic flow section.
The diagram illustrates traffic flows from the Azure Virtual Networks perspective.
Traffic Flow Chart
Traffic Flow Number
Source
Direction
Destination
Traffic Inspected on Secure Virtual WAN Hub firewall?
1
Virtual Network 1
→
Azure VMware Solution Cloud Region 1
Yes, traffic is inspected at the Hub 1 firewall
3
Virtual Network 2
→
Azure VMware Solution Cloud Region 1
Yes, traffic is inspected at Hub 2 firewall then Hub firewall 1
5
Virtual Network 1
→
Azure VMware Solution Cloud Region 2
Yes, traffic is inspected at Hub 1 firewall then Hub firewall 2
6
Virtual Network 2
→
Azure VMware Solution Cloud Region 2
Yes, traffic is inspected at the Hub 2 firewall
8
Virtual Network 1
→
On-premises
Yes, traffic is inspected at the Hub 1 firewall
9
Virtual Network 2
→
On-premises
Yes, traffic is inspected at the Hub 2 firewall
10
Virtual Network 1
→
Virtual Network 2
Yes, traffic is inspected at the Hub 1 firewall then Hub 2 firewall
10
Virtual Network 2
→
Virtual Network 1
Yes, traffic is inspected at the Hub 2 firewall then Hub 1 firewall
This section focuses only on how internet connectivity is provided for Azure native resources in Virtual Networks and Azure VMware Solution Private Clouds with dual region. There are several options to provide internet connectivity to Azure VMware Solution. – see Internet Access Concepts for Azure VMware Solution
Option 1: Internet Service hosted in Azure
Option 2: VMware Solution Managed SNAT
Option 3: Azure Public IPv4 address to NSX-T Data Center Edge
Although you can use all three options with Dual Region Secure Virtual WAN with Routing Intent, “Option 1: Internet Service hosted in Azure” is the best option when using Secure Virtual WAN with Routing Intent and is the option that is used to provide internet connectivity in the scenario. The reason why “Option 1” is considered the best option with Secure Virtual WAN is due to its ease of security inspection, deployment, and manageability.
As mentioned earlier, when you enable Routing Intent on both Secure Hubs, it advertises RFC 1918 to all directly peered Virtual Networks. However, you can also advertise a default route 0.0.0.0/0 for internet connectivity to downstream resources. With Routing Intent, you can choose to generate a default route from both hub firewalls. This default route is advertised to its directly peered Virtual Networks and to its directly connected Azure VMware Solution. This section is broken into two sections, one that explains internet connectivity from both regional Azure VMware Solution perspective and another from the Virtual Networks perspective.
When Routing Intent is enabled for internet traffic, the default behavior of the Secure Virtual WAN Hub is to not advertise the default route across ExpressRoute circuits. To ensure the default route is propagated to its directly connected Azure VMware Solution from the Azure Virtual WAN, you must enable default route propagation on your Azure VMware Solution ExpressRoute circuits – see To advertise default route 0.0.0.0/0 to endpoints. Once changes are complete, the default route 0.0.0.0/0 is then advertised via connection “D” from the hub. It’s important to note that this setting shouldn’t be enabled for on-premises ExpressRoute circuits. As a best practice, it’s recommended to implement a BGP Filter on your on-premises equipment. A BGP Filter in place prevents the inadvertent learning of the default route, adds an extra layer of precaution, and ensures that on-premises internet connectivity isn’t impacted.
When you enable Routing Intent for internet access, it automatically generates a default route from both regional hubs and advertises it to their hub-peered Virtual Network connections. You’ll notice under Effective Routes for the Virtual Machines’ NICs in the Virtual Network that the 0.0.0.0/0 next hop is the regional hub firewall. The default route is never advertised across regional hubs over the ‘inter-hub’ link. Therefore, Virtual Networks use their local regional hub for internet access and have no backup internet connectivity to the cross-regional hub.
For more information, see the traffic flow section.
The diagram illustrates traffic flows from the Virtual Networks and Azure VMware Solution Private Clouds perspective.
Traffic Flow Chart
Traffic Flow Number
Source
Direction
Destination
Traffic Inspected on Secure Virtual WAN hub firewall?
11
Azure VMware Solution Cloud Region 1
→
Internet
Yes, traffic is inspected at the Hub 1 firewall
12
Virtual Network 2
→
Internet
Yes, traffic is inspected at the Hub 2 firewall
13
Virtual Network 1
→
Internet
Yes, traffic is inspected at the Hub 1 firewall
14
Azure VMware Solution Cloud Region 2
→
Internet
Yes, traffic is inspected at the Hub 2 firewall
With Azure VMware Solution using the Dual-Region without Global Reach design, you don’t have outbound internet connectivity redundancy because each Azure VMware Solution private cloud learns the default route from both its local regional hub and isn’t directly connected to its cross-regional hub. If a regional outage that impacts the local regional hub, you have two options in order to achieve internet redundancy that are manual configurations.
Option 1: For Outbound Internet Access Only
During a local regional outage, if you need outbound internet access for your Azure VMware Solution workload, you can opt for VMware Solution Managed SNAT. It’s a straightforward solution that quickly provides the access you need. – see Turn on Managed SNAT for Azure VMware Solution workloads
Option 2: For Inbound and Outbound Internet Access
During a local regional outage, if you need both inbound and outbound internet access for your Azure VMware Solution cloud, start by removing the “D” connection for your local regional hub. Remove the Authorization Key created for the “D” connection from the Azure VMware Solution blade in the Azure portal. Then, create a new connection to the cross-regional hub. For handling inbound traffic, consider using Azure Front Door or Traffic Manager to maintain regional high availability.
HCX Mobility Optimized Networking (MON) is an optional feature to enable when using HCX Network Extensions (NE). Mobility Optimized Networking (MON) provides optimal traffic routing under certain scenarios to prevent network tromboning between the on-premises-based and cloud-based resources on extended networks.
Enabling Mobility Optimized Networking (MON) for a specific extended network and a virtual machine changes the traffic flow. For Mobility Optimized Networking (MON), egress traffic from that virtual machine doesn’t trombone back to on-premises. Instead, it bypasses the Network Extensions (NE) IPSEC tunnel. Traffic for that virtual machine will now egress out of the Azure VMware Solution NSX-T Tier-1 Gateway> NSX-T Tier-0 Gateway>Azure Virtual WAN.
Enabling Mobility Optimized Networking (MON) for a specific extended network and a virtual machine results in a change. From Azure VMware Solution NSX-T, it injects a /32 host route back to Azure Virtual WAN. Azure Virtual WAN advertises this /32 route back to on-premises, Virtual Networks, and Branch Networks (S2S VPN, P2S VPN, SDWAN). The purpose of this /32 host route is to ensure that traffic from on-premises, Virtual Networks, and Branch Networks (S2S VPN, P2S VPN, SDWAN) doesn’t use the Network Extensions (NE) IPSEC tunnel when destined for the Mobility Optimized Networking (MON) enabled Virtual Machine. Traffic from source networks is directed straight to the Mobility Optimized Networking (MON) enabled Virtual Machine due to the /32 route that is learned.
With ExpressRoute to ExpressRoute transitivity enabled on the Secure Hub and Routing-Intent enabled, the Secure Hub sends the default RFC 1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to both the on-premises and Azure VMware Solution. In addition to the default RFC 1918 addresses, both on-premises and Azure VMware Solution learn more specific routes from Azure Virtual Networks and Branch Networks (S2S VPN, P2S VPN, SDWAN) that are connected to the hub. However, on-premises networks don’t learn any specific routes from the Azure VMware Solution, nor does the reverse occur. Instead, both environments rely on the default RFC 1918 addresses to facilitate routing back to one another via their local regional Hub firewall. This means that more specific routes, such as HCX Mobility Optimized Networking (MON) Host Routes, aren’t advertised from the Azure VMware Solution ExpressRoute to the on-premises-based ExpressRoute circuit and vice-versa. The inability to learn specific routes introduces asymmetric traffic flows. Traffic egresses Azure VMware Solution via the NSX-T Tier-0 gateway, but returning traffic from on-premises returns over the Network Extensions (NE) IPSEC tunnel.
To correct any traffic asymmetry, you need to adjust the HCX Mobility Optimized Networking (MON) Policy Routes. Mobility Optimized Networking (MON) policy routes determine which traffic goes back to the on-premises Gateway via an L2 extension. They also decide which traffic is routed through the Azure VMware Solution NSX Tier-0 Gateway.
If a destination IP matches and is set to “allow” in the Mobility Optimized Networking (MON) policy configuration, then two actions occur. First, the packet is identified. Second, its sent to the on-premises gateway through the HCX Network Extension appliance.
If a destination IP doesn’t match or is set to “deny” in the Mobility Optimized Networking (MON) policy, the system sends the packet to the Azure VMware Solution Tier-0 for routing.
HCX Policy Routes
Network
Redirect to Peer
Note
Azure Virtual Network Address Space
Deny
Please ensure to explicitly include the address ranges for all your Virtual Networks. Traffic intended for Azure is directed out via the Azure VMware Solution and doesn’t return to the on-premises network.
Default RFC 1918 Address Spaces
Allow
Add in the default RFC 1918 addresses 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. This configuration ensures that any traffic not matching the above criteria is rerouted back to the on-premises network. If your on-premises setup utilizes addresses that aren’t part of RFC 1918, you must explicitly include those ranges.
0.0.0.0/0
Deny
For addresses that aren’t covered by RFC 1918, such as Internet-routable IPs, or any traffic that doesn’t match the specified entries above, exits directly through the Azure VMware Solution and isn’t redirected back to the on-premises network.
For more information on Virtual WAN hub configuration, see About virtual hub settings.
For more information on how to configure Azure Firewall in a Virtual Hub, see Configure Azure Firewall in a Virtual WAN hub.
For more information on how to configure the Palo Alto Next Generation SAAS firewall on Virtual WAN, see Configure Palo Alto Networks Cloud NGFW in Virtual WAN.
For more information on Virtual WAN hub routing intent configuration, see Configure routing intent and policies through Virtual WAN portal.
Microsoft Tech Community – Latest Blogs –Read More
Lock/Unlock All Tabs
I have the macro below to lock/unlock all of the tabs at 1 time. How do I add a line to use ALT+L to lock and ALT+U to unlock?
Sub ProtectAll()
Dim wsh As Worksheet
For Each wsh In Worksheets
wsh.Protect Password:=”1020″
Next wsh
End Sub
Sub UnprotectAll()
Dim wsh As Worksheet
For Each wsh In Worksheets
wsh.Unprotect Password:=”1020″
Next wsh
End Sub
I have the macro below to lock/unlock all of the tabs at 1 time. How do I add a line to use ALT+L to lock and ALT+U to unlock? Sub ProtectAll()Dim wsh As WorksheetFor Each wsh In Worksheetswsh.Protect Password:=”1020″Next wshEnd SubSub UnprotectAll()Dim wsh As WorksheetFor Each wsh In Worksheetswsh.Unprotect Password:=”1020″Next wshEnd Sub Read More
Database and microsoft entra id
How can I still use Microsoft entra id but I still want to query my user information using my database (mongodb), should I synchronize both? Is there any other better solution? Thank
How can I still use Microsoft entra id but I still want to query my user information using my database (mongodb), should I synchronize both? Is there any other better solution? Thank Read More
Quick-Books keeps asking to update issue – How to fix it?
Why does Quick-Books keep asking to update every time I open it, and how can I resolve this issue?
Why does Quick-Books keep asking to update every time I open it, and how can I resolve this issue? Read More
Resolve Quick-Books Error PS038 – Can’t Run or Update Pay-roll after update?
Experiencing Quick-Books Error PS038 while trying to update pay-roll. How can I resolve this issue? I’ve already tried restarting the software and updating it to the latest version.
Experiencing Quick-Books Error PS038 while trying to update pay-roll. How can I resolve this issue? I’ve already tried restarting the software and updating it to the latest version. Read More